As the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines. Much of the innovation seen in 2016 was focused on defying the expectations for how ransomware is delivered such as steganographic embedding of ransomware binaries, other forms of file obfuscation, and requirements for command line argumentation. These were all put forward as ways to ensure victims are infected by the ransomware and put into a position where they may be compelled to pay the ransom and thereby monetize the infection for the threat actor.

While it is easy to be caught up in hype regarding the smallest alteration to ransomware behavior, sometimes a step back and a look at the ransomware business model is more helpful. While the alteration in the extension given to files encrypted by Locky may be easy fodder for blog posts, changes like the addition of the “.shit” extension is likely little more than a jab at information security researchers who have placed a significant amount of stock in the extension applied to encrypted files. Simply put—changing the file extension used by this malware doesn’t fundamentally change how the malware impacts victims. And most victims probably don’t care what extension is applied to their now-inaccessible documents. Most importantly, it does not impact how the threat actor intends to generate revenue from that new infection.

Many of the changes seen in ransomware delivery through 2016 have supported the core of the business model by guaranteeing the maximal number of infections. Innovative means of bypassing controls, frustrating analysis, and creating difficulties for incident response were all created by defying certain expectations. These were all put forward as ways to ensure victims are infected by the ransomware and put into a position where they may be compelled to pay the ransom and thereby monetize the infection for the threat actor. However, as the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines.

One arena in which few ransomware developers have made forays is the capability to repurpose infected machines for other criminal endeavors. Widespread usage of ransomware as a first-step utility is still uncommon among the most prominent ransomware varieties as is the side-by-side delivery of other malware utilities via phishing email. However, this capability would be a simple addition to most ransomware varieties and would stand to create new and virtually-unlimited additional avenues for further monetization of infected machines beyond the collection of a ransom payment. One ransomware variety that has already begun to incorporate this functionality into its behavior is the Troldesh encryption ransomware.

Troldesh ransom note

An example of this ransomware was recently analyzed and was found to also deliver a content management system (CMS) login brute-force malware in addition to its core ransomware payload. This malware is designed to force its way into content management systems like WordPress and Joomla by guessing the login credentials. This is valuable to threat actors as it allows them to compromise those websites for any number of reasons including the posting of new malware payloads to be downloaded in later campaigns. Beyond giving threat actors access to the compromised websites, this malware also pushes the responsibility for those compromises away from the threat actor, giving them some level of deniability and distance from the attacks. However, the victim, whose computer is now being used to launch brute-force attacks on websites, must still pay the demanded ransom to regain access to the files that have been encrypted by Troldesh.

However, Troldesh is a ransomware that has a relatively low profile among ransomware varieties—especially in terms of its impact on English-speaking populations. However, another example was identified more recently that indicates that this one-two punch technique is also being used in conjunction with the Locky encryption ransomware—a malware that has a far wider reach and is more well-known.

A set of emails was found to deliver the Locky encryption ransomware alongside the Kovter malware. This pairing is notable as it represents an interesting set of malware utilities delivered to victims. In this case, the Kovter trojan allows the threat actor to maintain access and potentially deliver other malware to machines while also monetizing the infection through click-fraud activities. The messages analyzed by PhishMe Intelligence claimed to deliver a notification regarding the status of a package shipped via FedEx. The JavaScript application attached to these emails was designed to facilitate the download of both a Locky encryption ransomware binary and the additional Kovter sample. This setup harnesses the most successful ransomware of 2016 to provide a short path to financial gains while also including the ability for the threat actor to perform reconnaissance and perhaps even maintain access to the infected environment for extended periods of time.

FedEx phishing email delivering Locky and Kovter

However, repurposing a victim’s computer to carry out the activities highlighted in these examples are just two examples of what a threat actor could do if additional malware or capabilities are incorporated into ransomware samples. Two factors could make a scenario like this have a significant impact on an individual or company. First, if a threat actor can place a ransomware sample within an environment and then expand their reach using additional malware samples, the threat actor has created two avenues for victimizing that individual or organization. The ransomware is most obvious component of this scenario, but the additional malware sample could be used for a much longer and more damaging operation with implications reaching far beyond the ransomware incident. Secondly, since the expectation is that the ransomware sample is the only avenue for monetization and the only malware involved in most ransomware incidents, an individual or organization may not seek out the additional malware and instead address only the obvious threat instead of the quieter and more longitudinal threat.

The prospect of ransomware featuring additional capabilities or acting as malware downloaders is troubling. It greatly complicates the threat landscape and adds burdens to information security professionals tasked with protecting organizations from both ransomware and other malware utilities. The good news, however, is that many organizations are already aware and empowered to address both ransomware and non-ransomware malware threats. Phishing email has been the most prominent avenue for the delivery of both these categories of malware utility and is an arena where organizations can form holistic defense plans. Holistic phishing defense includes the education and empowerment of all email users to identify and report phishing emails before engaging with the malware they deliver. The information security professionals within those organizations can then utilize that internal intelligence from user reports along with external intelligence to best identify and respond to not just the obvious threats like ransomware, but also the quieter and less-obvious malware threats as well.

The full report on this Troldesh sample used to deliver additional malware payloads is available to PhishMe Intelligence users here. The list below includes a number of IOCs related to this analysis.

It is important to PhishMe to avoid hyperbolic conclusions whenever possible. In the interest of clarifying some conclusions that have been drawn from this blog post, it is important to keep in mind the nature of Locky distribution and how this malware is delivered to victims. We consider it a serious responsibility to report on very real threats in a way that lends itself to our credibility as well that the credibility of all information security professionals.

PhishMe has no reason to believe that this set of emails was delivered only to victims of the OPM incident nor to government employees as part of a spear phishing attack.

The email addresses associated with the OPM breach have not been actively circulated. As such, it is incredibly unlikely that the threat actors have any detailed knowledge of who will be receiving these emails. Furthermore, PhishMe has not received any confirmation that anyone impacted by the OPM incident has received a copy of these emails. Many people who were not affected by the OPM incident and are not affiliated with the U.S. government also received copies of these messages and are also put at a very real risk by this ransomware.

***

A continuing truth about the Locky encryption ransomware is that its users will take advantage of any avenue that they believe will secure them a higher infection rate but still utilize predictable themes. This time, the threat actors have chosen to impersonate the US Office of Personnel Management in one of their latest attempts to infect people with this ransomware. As we have noted in previous reporting, Locky has set the tone for 2016 with its outstanding success as an encryption ransomware utility. As we approach the end of the year, this ransomware continues to be a fixture on the phishing threat landscape.

One key example of this malware’s phishing narratives is a set of emails analyzed by PhishMe Intelligence this morning that cite the purported detection of “suspicious movements” in the victim’s bank account that were detected by the US Office of Personnel Management.

Screenshot of phishing message impersonating OPM

The ZIP archives attached to these messages contains a hostile JavaScript application used to download and run a sample of the Locky encryption ransomware.

This phishing narrative comes with a few notable implications. First, emails that are designed to appear as if they were sent by the OPM and the threat actors hope that these are more likely to appeal to government workers and employees of government contractors. Secondly, the threat actors may also how that these messages are also more likely to appeal to individuals who have been subject to a loss of personal information as a result of the high-profile OPM breach.

If either of these implications bear any truth, the Locky threat actors once again demonstrate their unscrupulous nature and willingness to exploit the misfortune of others at any step in their delivery and infection process. However, absent the reference to the Office of Personnel management, this set of emails would be just another set of phishing emails delivering Locky featuring strange word choice such as “suspicious movements” and “out account”.

These emails reinforce the fact that overcoming the phishing threat and the ransomware it delivers is not some insurmountable task. Instead, user education and the bolstering of incident response practices can give organizations the edge over threat actors.

Indicators of compromise related to this set of Locky emails are verbose—323 unique JavaScript application attachments were identified with the capability to download obfuscated Locky payloads from 78 distinct payload locations. These locations are listed below.

hxxp://cgrs168[.]com/xmej0mc

hxxp://acrilion[.]ru/84m9t

hxxp://geethikabedcollege[.]com/766epkuj

hxxp://thisnspeel[.]com/766epkuj

hxxp://thisnspeel[.]com/3ypojyl

hxxp://flurrbinh[.]net/7wi66hp

hxxp://vexerrais[.]net/6sbdh

hxxp://3-50-90[.]ru/u4y5t

hxxp://corinnenewton[.]ca/ctlt8b

hxxp://agorarestaurant[.]ro/cg06f

hxxp://abercrombiesales[.]com/nmuch

hxxp://flurrbinh[.]net/3nrgpb

hxxp://dmamart[.]com/c5l2p

hxxp://codanuscorp[.]com/ay5v52r

hxxp://cafedelrey[.]es/snby1c

hxxp://vexerrais[.]net/84fwijj

hxxp://dessde[.]com/zcwaya

hxxp://villaamericana[.]net/84fwijj

hxxp://ayurvedic[.]by/b9kk9k

hxxp://dowfrecap[.]net/3muv

hxxp://odinmanto[.]com/57evyr

hxxp://centinel[.]ca/wkr1j6n

hxxp://berrysbarber[.]com/q6qsnfpf

hxxp://antivirus[.]co[.]th/jukwebgk

hxxp://odinmanto[.]com/7gplz

hxxp://www[.]cutillas[.]fr/lmc80sdb

hxxp://365aiwu[.]net/hbdo

hxxp://comovan[.]t5[.]com[.]br/byev5nd

hxxp://alpermetalsanayi[.]com/vuvls

hxxp://bielpak[.]pl/a79a64h

hxxp://dowfrecap[.]net/7qd7rck

hxxp://babuandanji[.]jp/lq9kay

hxxp://pastelesallegro[.]mx/ex67ri

hxxp://archmod[.]com/sapma

hxxp://drkitchen[.]ca/y5jllxe

hxxp://earthboundpermaculture[.]org/okez95b

hxxp://eroger[.]be/918p2q

hxxp://avon2you[.]ru/ayz1waqm

hxxp://handsomegroup[.]com/ae2y1hr

hxxp://vexerrais[.]net/3nx3w

hxxp://cosmobalance[.]com/jsqlt0g

hxxp://assetcomputers[.]com[.]au/lkfpyww

hxxp://odinmanto[.]com/2rw

hxxp://dinglihn[.]com/zg3pnsj

hxxp://thisnspeel[.]com/2qrn06f

hxxp://adriandomini[.]com[.]ar/bq62dx

hxxp://inzt[.]net/lbrisge

hxxp://elektronstore[.]it/z298ejb

hxxp://donrigsby[.]com/nts0mk

hxxp://bjshicheng[.]com/blewwab

hxxp://ck[.]co[.]th/r2k6i

hxxp://abclala[.]com/r2kvg

hxxp://lashouli[.]com/rq4xoq

hxxp://flurrbinh[.]net/0nbir

hxxp://competc[.]ca/qrc9n

hxxp://dowfrecap[.]net/6f9tho

hxxp://chaturk[.]com/mxaxemv

hxxp://odinmanto[.]com/0cz2zwz

hxxp://dowfrecap[.]net/0d08tp

hxxp://dekoral[.]eu/twnyr1s

hxxp://chandrphen[.]com/h4b1k

hxxp://drmulchandani[.]com/d6ymtf

hxxp://edrian[.]com/dfc33k

hxxp://fibrotek[.]com/deoq

hxxp://vexerrais[.]net/1jk8n

hxxp://accenti[.]mx/nryojp

hxxp://cheedellahousing[.]com/h24ph

hxxp://elleart[.]nl/gn3pim

hxxp://edubit[.]eu/b6ye94wv

hxxp://bst[.]tw/gnjeebt

hxxp://85[.]92[.]144[.]157/y8giadzn

hxxp://thisnspeel[.]com/04u77s

hxxp://dunyam[.]ru/jge1b3e

hxxp://flurrbinh[.]net/6mz3c5q

hxxp://eldamennska[.]is/h4yim

hxxp://bepxep[.]com/mo05j

hxxp://dwcell[.]com/dph861ws

hxxp://apidesign[.]ca/ijau8q2z

However, only four hardcoded command and control hosts were found to be supporting this Locky instance. They are listed below.

hxxp://195.123.211[.]229/message[.]php

hxxp://188.65.211[.]181/message[.]php

hxxp://185.102.136[.]127/message[.]php

hxxp://185.67.0[.]102/message[.]php

Furthermore, a single payment site where the ransomware victim can pay the Bitcoin ransom in exchange for a purported decryption application was identified.

mwddgguaa5rj7b54[.]onion

The full PhishMe Intelligence report on this Locky analysis is available to PhishMe Intelligence clients here.

Another ransomware tool has been added to the ever-growing encryption ransomware market with the introduction of the Bart encryption ransomware. Named by its creators in its ransom payment interface as well as in the extension given to its encrypted files, the Bart encryption ransomware has leveraged some distinctive mechanisms for delivery during its early deployments. Furthermore, this ransomware shares some interface elements that evoke the same look and feel used by the Locky encryption ransomware ransom payment interface. In many ways the Bart encryption ransomware is a very mainstream encryption ransomware in both the files it targets for encryption (a full list of these file extensions is included at the end of this post) as well as its demand for a sizable Bitcoin ransom. However, a number of elements related to this encryption ransomware are noteworthy when viewed through the lens of recent developments in the phishing threat landscape.

Reuse of infrastructure supporting malware distribution is a well-documented characteristic of online crime and a key way to track and classify threat actors. While it may seem simplistic for monitoring threat actor activities, the IP addresses, domains, hostnames, and URLs contacted by malware tools betray a significant amount of information about threat actor groups. For some malware attacks, it’s possible to determine the threat actor’s identity based on the infrastructure used, but, other times, the lines are blurred because some organizations harbor cyber criminals.

On February 16, 2016, PhishMe’s Intelligence team identified a number of significantly large sets of emails delivering Word documents containing macro scripts used to download a malware payload. This malware delivery technique has been ubiquitous among many threat actors over the past year but has been most prolifically used by threat actors delivering the Dridex financial crimes trojan. The scope of Locky’s delivery in its first full day of deployment is staggering. As our friends at Palo Alto Networks have shown, over 400,000 endpoints around the world were affected by this encryption ransomware in mere hours. As we pointed out in our recent piece on Dridex, nearly three quarters of Dridex samples in 2015 where delivered using some form of Office documents using macro scripts as a download tool.

From time to time, there will be an overlap with malware infrastructure where one attacker will compromise another attacker’s infrastructure. Typically, this is part of the “compromised infrastructure” which can fluctuate, and attackers have even been seen to uninstall one another’s malware. However, in this case, we strongly believe that the actors are experimenting with Dridex, Pony, and Neutrino.